Friday, September 23, 2011

facebook's ticker: a ticking privacy timebomb?

there's a lot of pixels and bits being dedicated to the major changes that are underway at facebook, but most of the attention seems to be focused on the timeline feature. i tend to think the ticker feature deserves a lot more attention and, frankly, concern.

first off, it seems clear that facebook wants to be the destination for an ever increasing number of activities - not just farmville or mafia wars, but consuming print, audio, and video media, and even purchasing goods too. fine, facebook wants to be the web portal to end all web portals - the next AOL or compuserve - it's fine to have aspirations like that; although actually being AOL or compuserve doesn't seem to have worked out that great for AOL or compuserve in the end.

but with that breadth possible activities in mind, the idea that facebook will now be sharing everything you do automatically seemed really rather stupid to me at first. maybe there is too much friction inhibiting sharing right now, maybe clicking a button isn't easy enough, but truly "frictionless" sharing that happens without any action taken on the user's part takes the intent out of sharing. sharing loses all meaning that way. it no longer tells you the sharer thought this article was insightful or that video was funny, it doesn't give any hint what so ever as to whether the sharer thought something was worthwhile, it just collects everything in one big activity profile. indeed, was the person performing those activities really the sharer in that situation, or is the sharer facebook themselves?

at first you might think that the resulting poor signal/noise ratio would render facebook as irrelevant as myspace and it's blinking, glittery profile pages has become. the folks at facebook seem to have realized this, though. they don't want people's main feeds to get filled with all that noise. they recognize that from a personal interaction standpoint, this data is too voluminous and unimportant. that's why they've relegated the data to a new place - the ticker.

the question you should be asking yourself right now, however, is this: if this data isn't actually useful to users when they're connecting with their friends, why is facebook interested in automatically sharing it? who is interested in that data? the answer is simple - advertisers. a large profile of everything you read, watched, listened to, and did online is for all intents and purposes your web history. in this case it will be your web history as seen through the eyes of facebook. we in the security community get upset about browser vulnerabilities leaking our browser history, or tracking cookies being used to track where we've been; the data collected for ticker is not going to be inherently different than the data acquired through those other means. furthermore, it's too voluminous and granular to be useful to anything other than an automated process that looks for certain types of patterns and trends. the kind of process you'd use for the automated targeting of ads - targeting based on your activities, your behaviour.

the ruse of "frictionless sharing" appears to be a trojan horse (not the malware variety one might traditionally think of, though) for introducing behavioural profiling for the purposes of targeted advertisements. social spyware at it's best.

but even if that's not the case, even if that data really is meant for a user's friends to see and use, there is a profound implication buried in the automated sharing of everything. you can't control your public image if the choice of what you share about yourself is taken away from you. for all the hand wringing recently about the damage that real name policies do (eliminating your ability to control the personal information that your identity represents), the elimination of your ability to control your public image means the elimination of the persona - something that has been part of the social experience of humans since the dawn of mankind if not longer.

our true selves, the nature that we keep hidden behind the masks that we each present the world, is something that we innately keep private. i simply cannot believe that our social norms are headed in the direction of completely removing those social masks. giving up that private information in exchange for access to a service is a privacy bargain that we have never faced before.

so, if you thought the ways facebook could violate our privacy couldn't get much worse, you were dead wrong.